Blockchain AuditCloud — Secure shifting of corporate audits to the cloud
How Blockchain/DLT can automate the certification of companies
Co-Authors: T. Bergs, Johannes Mayer, A Beckers, A. Stoffers
Dieser Artikel ist auch auf Deutsch verfügbar.
Preamble
This use case was created within the project Blockchain Reallabor für das Rheinische Revier, funded by the Ministry of Economics, Innovation, Digitisation and Energy of the State of North Rhine-Westphalia, with the aim of forming a thematic community of interests. If you feel addressed, please contact us (mail@senseering.de), Alexander Stoffers from NextAudit or contact the project directly via kontakt_realllabor@fit.fraunhofer.de or https://blockchain-reallabor.de/. The original publication by the Blockchain Reallabor can be found here (german).
Problem
Audits fulfil the task of checking and proving whether, for example, a production process meets the quality requirements on the basis of selected test criteria [1]. Possible criteria for the production process include productivity (output quantity in relation to input quantity), process stability, the guarantee of the function to be fulfilled and scalability. Audits are generally differentiated between First Party (product audit, process audit, system audit), Second Party (supplier audit) and Third Party (certification audit). They take place at fixed time intervals and are carried out by a neutral auditor and an accompanying, uninfluenced observer. Based on the information provided, the auditor evaluates the products/processes, prescribes any measures to be implemented and reports the results of his inspection to the responsible management. For companies from different industries, it is essential for success to have a valid certification. Especially for safety-critical components and their production processes, certification and corresponding audits are of central importance [3].
Audits are characterised by seven principles, compliance with which is extremely difficult to prove [4]. All persons involved in the audit process (including auditors and observers etc.) should act with integrity, objectivity, care, confidentiality, independence, factual support and risk orientation. This requires honesty, responsibility, competence, impartiality, objectivity, sensitivity and security of information with regard to any influences on their ability to judge when auditing products/processes. These qualities are currently difficult to guarantee or prove. The potential distrust in the intermediary with regard to the neutral evaluation and handling of the provided product/process specific information as well as the one-time testing of the products/processes within a defined time interval (scheduled) can affect the trust of the customer.
Due to the lack of trust in the intermediary, a very large number of supplier audits are carried out in the industry, as each customer audits his supply chain independently. The lack of trust thus leads to over-auditing in the economy, which should be avoided from an economic point of view. A simple example: Both VW and BMW purchase parts from supplier Rehau. VW audits Rehau with school grade 1, next week BMW will come and audit Rehau with school grade 1, because the same scheme is used. An audit was economically superfluous.
Solution approach
As a possible solution to the problems of a lack of trust in the uniform, neutral evaluation of the auditors and the scheduled auditing, a blockchain-based solution for all audit actors (manufacturing companies, suppliers, customers) can provide remedies.
The auditing is based on the encrypted transfer of all audit/certification relevant information of a supplier or manufacturing company into the blockchain platform. Responsible parties can access this process data (e.g. by paying a special certification token), either to check a new certification or to check whether a company, supplier, process or product meets the necessary requirements to maintain the current certification. The former auditor assumes the new role of a data analyst, who assesses the reliability of digital data and systems and identifies risks more quickly. As soon as he or she examines the available data, a smart contract is used to demand payment for the audit work. During data analysis, the data provided is mirrored against the quality requirements on the basis of the defined audit criteria and encrypted feedback (with corrective measures if necessary) is transferred to the blockchain platform, in real time if required. Smart Contracts enable an immediate transfer of the measures, so that they can be implemented as quickly as possible after the affected company has been informed. If the requirements are met, the successful certification is confirmed via Smart Contract, otherwise it is withdrawn. Every actor along the value chain can now view the successful/unsuccessful certification.
On the one hand, auditing is fact-based, objective and transparent due to the obsolescence of the auditor or his role shifting towards a pure data analyst. On the other hand, companies are always responsible for designing their products or processes in accordance with certification-relevant requirements, since by providing the information, an audit can be carried out automatically at any time. The confidence of the stakeholders in the products/processes is maintained/increased by this obligation of the producing company.
As a first step, it is a good idea to set up a network of trust with supplier audits, in which the production processes are not yet automatically included in a data-driven audit. Instead, supplier audits could be stored on a block chain in a tamper-proof manner and paid for by other partners in the production network upon inspection via a smart contract. With this approach alone it would be possible to save many unnecessary audits. The network of trust could be further developed by an integrated evaluation mechanism (AI-supported).
A Blockchain AuditCloud enables cost-effective, data-driven and tamper-proof verification processes. The costs for the third instance of the auditor are reduced and the payment for e.g. the data analyst, the audit or the certification is done automatically. In the end, trust is considered verified by the transparency generated. Auditing can be performed automatically at any time (24/7 audits). Improvements to products, processes or supply chains can be implemented more quickly, as there is no need to wait for the audit at the end of the year. The simple, automatic and fast feasibility removes the limitation to random samples and allows the auditing of entire data sets. This promotes work/production according to certification standards and thus customer confidence. The report, which must be kept as proof of the audit performed, can be stored in the blockchain in a tamper-proof manner.
A successful certification or non-certification is visible, digitally marked and traceable for every partner along the value chain. Fake certifications are immediately visible. The advantage of this transparency is the confidence of producing companies in manufacturers/suppliers from other countries and their certification, so that materials can be obtained from previously unrecognised, distrusted countries. [5].
Challenges
For the described use case, a consistent audit and certification process is necessary, which should be defined, for example, in the form of an ISO standard. Standards for a successful certification complete the aspect of complete trust, as they guarantee a continuous evaluation standard between different companies. A comparison with the certification-relevant requirements of such a standard requires the identification of suitable, component-/process-specific process data. The influences of individual process input variables on component characteristics must be known for this purpose or derived via developed models so that deviations from specifications can be identified. For data collection, the implementation of sensor systems is necessary, which transfer the information into a decentralized network. If the availability of suitable data is guaranteed, the original auditors must be trained in their new role as data analysts in order to make audit or certification-relevant statements from the available data.
Across applications the trust in the data provided and the choice of technology are challenges to be solved. Information transferred to the blockchain platform is unchangeable and is specified completely with a location and time stamp for trust purposes. This enables traceability at any time. The reconciliation and control of transactions and information by the participants in the network also creates confidence in the accuracy of the data. A comparison of machine running times and produced quantity guarantees a verification of the stored information. When selecting a suitable technology, it must be taken into account that its properties have different characteristics. An Ethereum blockchain, for example, has a high degree of flexibility with regard to the definition of conditions for the execution of Smart Contracts, but the complexity of this technology is significantly higher than that of other technologies. The relationship between these characteristics is also competitive. It is not possible to optimize flexibility while improving performance. Ultimately, the characteristics of the individual use case define the appropriate technology. The so-called Tangle from the category of Distributed Acyclic Graphs (DAG) is suitable in production environments where large amounts of data are generated, especially due to its very good scalability and the high transaction speed compared to classical Bitcoin blockchain.
Stakeholder
Manufacturing companies, audit and certification providers and other contractual partners of the manufacturing company along the entire value chain (suppliers, customers, producers) are potential stakeholders for this application. A blockchain-based auditing, whether product-, process- or supplier-related, creates trust among customers in the respective product and company. The intended solution is particularly suitable for value-added networks without a rigid hierarchy, such as in classic automotive supply chains. The dependency on the customer increases the pressure within hierarchical supply chains so much that a certain level of quality must be ensured. In non-hierarchical networks this power factor is missing. A certification variant, as described in this use case, and the associated verification by the network participants can provide a remedy at this point, especially for small- and medium-sized companies.
Companies from North Rhine-Westphalia already offer modules for the solution of the described concept. The combination of the existing expertise in cloud-based auditing, in the provision of platforms for free and abuse protected data trade as well as in production-related questions enables the potential of a short-term conversion and implementation of this use case. Every supplier or producer would be able to replace the complex, cost-intensive audit process on site with a manipulation-free, data-driven, automated verification process and at the same time increase the sales volume through the trust in the products and processes created by the customer.
Preliminary work
In NRW (Aachen) the startup nextAudit UG has developed a prototype. Under the project name AuditCloud, nextAudit UG provides a cloud platform for the holistic mapping of audit processes. For each audit process the AuditCloud offers audit planning, different audit templates, audit execution and follow-up as well as action control. A link with e.g. the Tangle would raise the existing advantages of the startup nextAudit UG (“simple, fast audits”, “transparency” and “reduction of documentation effort”) to a new level. Automatic auditing, certification, payment and tamper-proof storage of data and certificates can perfect the AuditCloud. Together, senseering and nextAudit want to make the AuditCloud tamper-proof through a DLT.
Next Steps: Supplier Audits
The automotive industry attaches great importance to regulated quality and process management. OEMs as well as suppliers are subject to strict regulations to ensure high quality with regard to products, processes and infrastructure within the entire supply chain. Certification is intended to create confidence among (potential) customers in the system and process quality. A supplier is only enabled to supply an automotive manufacturer if he can show a valid certificate.
Variant A: Purchase of a third-party audit as proof of successful auditing
One supplier supplies different OEMs and has been successfully audited and certified several times in the past. A new potential OEM would also like to use the same supplier due to its reputation, but requires an audit before doing so. However, the company performing the audit cannot perform an audit due to time constraints, for example.
Solution: The last audit was carried out by a renowned company and found to be good. The company performing the audit, which cannot perform its own audit due to time constraints, can purchase the supplier audit via a DLT platform and prove that the supplier meets the requirements.
Variant B: Overcoming Power Imbalances
Variant B is distinguished from variant A by the power symmetry between two parties in a supply chain. Assumption: Within a supply chain of the automotive industry all suppliers have to be audited. These suppliers can be big players such as Bosch or small medium-sized companies. Bosch’s power makes it possible to enforce audits among small medium-sized companies. Conversely, however, it is possible or very likely that Bosch will not stop production so that the SME can carry out an audit. The direct automobile manufacturer, on the other hand, has sufficient power/influence to persuade Bosch to carry out an audit.
Solution: Similar to Variant A, a kind of marketplace or stock exchange based on a Distributed Ledger enables small companies to obtain an audit confirmation from large players along the supply chain. This enables them to prove that their entire supply chain has been audited on the basis of an externally initiated and conducted audit.
Variant C: Network effects by dividing the results of different audits
A supplier is audited by two different clients. The problem is that both audits have come to different results and OEMs may distrust the supplier.
Solution: The OEMs or the companies performing the audit can “buy” the audit report of the other company on the block chain platform and optimize their own value creation by analyzing the differences.
Sources
[1] DIN EN ISO 9001
[2] DIN 18200
[3] DIN EN 9104
[4] DIN EN ISO 19011
[5] https://www2.deloitte.com/de/de/pages/audit/articles/blockchain-abschlusspruefung.html
[6] Kannengießer, N., Lins, S., Dehling, T., Sunyaev, A.: Mind the Gap: Trade-Offs Between Distributed Ledger Technology Characteristics; 2019
senseering GmbH
The senseering GmbH is a company founded in September 2018 that was awarded the RWTH Aachen University Spin-Off-Award. The core competence of senseering GmbH is the development and implementation of systems for the digitalization and networking of industrial and production facilities. Likewise, senseering GmbH advises on strategic corporate issues, in particular digital transformation, distributed-leger technologies, edge vs. cloud computing architectures for AI-based real-time control of industrial processes, digital business model innovation and the introduction of digital business processes such as home office, Azure or Microsoft365. Senseering is one of the winners of the first and largest AI innovation competition of the BMWi with the project www.spaicer.de.
Daniel Trauth (CEO) | www.senseering.de | E-Mail: mail@senseering.de
